The
creation of an applicable, comprehensive application security report
SITUATION/CHALLENGE - The Internet continues to be a powerful force for driving business and commerce activity and is increasingly being used by organizations as a medium for managing internal corporate data and operational activities through intranet applications. With over $108B[1] in e-commerce retail, over $2 trillion[2] in Business-to-Business transactions and over 233 million[3] users in the U.S. alone, the on-line presence of a business or organization centers around the use of Web applications to store, transmit, and manage confidential information. Quite recently, the firewall and associated security technologies were the first line of defense against the theft of confidential information. Today, with the growing widespread use of Web applications, the universal openness of the Web through ports 80 and 443 to the Internet, the security and configuration of Web applications is the first and last line of defense against malicious attacks and confidential data leaks. Trends from one recent study[4] suggest that in 2007, more than 70 million confidential records will likely be exposed, unprotected on the Internet, or directly compromised via a cyber-attack.
Previous Internet security threat reports, while robust research products, provide limited information regarding application security and lack detail on the attack data discussed. Since these reports lack monthly breakdowns, comprehensive details and a backdrop against which to correlate the data, the applicability and appreciation of the threats presented are limited to the reader’s scope of understanding. When holes exist in the knowledge of attacks, there is a potential weakness being exploited.
When dealing with the level of threats the industry currently faces, a report focusing exclusively on application security in an accurate, informative and useful format needs to create a singular jumping-off point for the prevention of, and protection from, the leading vulnerabilities.
[1] http://www.census.gov – 2006 data
[2] http://www.census.gov – E-Stats – extrapolated from 2004 data
[3] http://www.InternetWorldStats.com
[4] http://www.nta-monitor.com/posts/2007/03/webapp.html
Name: Brett Tanzer
Team:Microsoft Forefront Security for Exchange Server Engineering team
Team Members: Brett Tanzer, Anthony Blumfield, Bob Bisso, Jay Muller
Company: Microsoft Corporation
SOLUTION - Tom Stracener devised, developed and compiled a trend report focused on application security that delved into the details missing from previous Internet security trend reports. Utilizing resources of Cenzic Intelligent Analysis (CIA) labs, Tom and his team gathered data, created in-depth setting analysis and highlighted the top ten vulnerabilities most concerning the security industry on a quarterly basis throughout 2007.
The CIA team specializes in continuous research into application vulnerabilities and the latest tools and techniques used within the field of application security. They monitor the latest vulnerabilities and trends affecting application security by keeping watch over Internet newsgroups, forums, mailing lists and underground websites where vulnerability information is released. In addition to its research focus, CIA experts also perform vulnerability assessment, penetration testing and security testing. Cenzic has dedicated experts whose sole job is to perform ongoing research to find not only common vulnerabilities but also new or undisclosed vulnerabilities in custom, commercial, and open-source applications, and to make this information available to customers and to the community at large in the form of publications and security alerts. This team of security experts was the perfect group to recognize the value of the intended report and also provide insight into the data collected.
The project was not without complications: unlike other producers of Internet security reports, the CIA team lacked access to a global network of thousands of intrusion sensors to tap into as a data feed. Keeping the goal of a comprehensive application security trends report in sight, Tom turned to the SANS Internet Storm Center and Dshield as the sources of raw data, and queried them for their probe and attack data as it related to specific ports. This data is compiled in raw form by thousands of users submitting their firewall, IDS, router and ACL logs to these organizations, who daily crunch the statistics on blocked traffic. This information gives a picture of probing and attack activity and can be very useful when looking at high-level trends and patterns. The drawback is that the data is raw and without interpretation – essentially piles of numbers without organization or cross-referencing ability.
Rather than trying to build a story around every peak and curve on a graph of such data, these piles of numbers were used to generate a backdrop against which to consider the observed activity. After each month's probe and attack data was complied, a list of major events that occurred during the same timeframe was produced, as well as information from US-CERT. This created a landscape against which a reader could observe the trends and draw their own conclusions. The backdrop also served to highlight significant application security events that occurred during each quarter of 2007.
Tom and the CIA team then tackled the Herculean task of counting and categorizing all of the application vulnerabilities reported during each quarter. Over a period of weeks, the data was sifted for patterns and trends and organized into correlating bundles.
In addition to the probe and attack data provided from outside sources, information was polled from Cenzic’s ClickToSecure service on the types of vulnerabilities found to be most prevalent, as this data is not reliant on self-reporting from users. These figures, coupled with the backdrop created by the major attack activities and reported vulnerability issues, shaped an application security vulnerabilities trends report that boasted breakdown of data by month, comprehensive details and a landscape against which to correlate the data.
The report was on a quarterly basis throughout 2007, with the Q4 Trend Report highlighting year-long trends and points for concern, providing a thorough analysis of reported vulnerabilities, Web application probes, attack statistics and key findings, and focusing in commercial and open source applications most likely to be the targeted sources of monetary losses for companies. Available free of charge via download from Cenzic’s website, the reports were positioned and developed as a usable, accessible tool for security managers, software developers and anyone else needing a more thorough understanding of the application security landscape. The data provided in this report has been quoted in numerous industry articles and sparked conversations throughout the blogosphere. There is general agreement about the necessity of providing an overarching viewpoint when it comes to observing these trends and, by all accounts, the 2007 Application Security Trends Reports have fulfilled Tom’s goal of creating of an applicable, comprehensive application security report.
Nor are Tom and the CIA team resting on their successes with their initial year of reporting – quarterly reports are planned to continue throughout 2008. The quarterly Application Security Trend Reports will look to continue expanding on the classification of the top vulnerability trends to define a specific level of abstraction, while separating the characteristics of Web application technology from those of Web-enabled technology. By covering both traditional Web application vulnerabilities as well as Web-enabled technology vulnerabilities, information included will help to inform and protect the security community, while at the same time keeping a clear distinction between traditional server-side applications and client-side technologies with web-based vulnerabilities.
Tom Stracener devised an idea for an application security trends report and also developed the strategy to collect the data and process it into a readily understandable form. Tom took a hands-on approach to ensure that the report met the industry’s needs, sifting through data and personally guiding a team of researchers through the tasks necessary to create a well-rounded picture of the application security landscape. His vision of an applicable, comprehensive application security trends report stimulated the development of a well-received and widely applicable report that continues to evolve quarterly to meet the changing needs of the security community.
Info Security Products Guide
CONCLUSION - The Application Security Trends Report provides a thorough analysis of reported vulnerabilities, Web application probes, attack statistics and key findings in a reader-friendly format. This format usably identifies current risks in existing applications within the context of successful hacking attempts and recognition of new vulnerabilities, aiding security managers in defining company protocols and targeting developers towards areas of weakness earlier in the software development lifecycle. In any effort to secure applications, knowledge is power, and having ready access to the information provided by the quarterly 2007 Application Security Trends Reports puts the power in the hands of the readers to protect their applications and their companies from attack.
Tom Stracener was one of the founding members of nCircle Network Security. While at nCircle he served as the head of vulnerability research from 1999 to 2001, developing one of the industry’s first quantitative vulnerability scoring systems, and co-inventing several patented technologies. Tom is an experienced security consultant, penetration tester and vulnerability researcher. One of his patents, “Interoperability of vulnerability and intrusion detection systems,” was granted by the USPTO in October 2005. Tom is the senior security analyst for Cenzic’s CIA Labs.
Cenzic
455 El Camino Real, Suite 100
Santa Clara, CA 95050
Tel: +1-866-423-6942
